nerdctl
1,安装
在github上下载相应的二进制包解压:
# 如果没有安装 containerd,则可以下载 nerdctl-full-<VERSION>-linux-amd64.tar.gz 包进行安装
wget https://github.com/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
wget https://download.fastgit.org/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-0.11.0-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
[root@one ~]# nerdctl version
Client:
Version: v0.11.0
Git commit: c802f934791f83dacf20a041cd1c865f8fac954e
Server:
containerd:
Version: v1.5.5
Revision: 72cec4be58a9eb6b2910f5d10f1c01ca47d231c0
2,命令行工具使用
1,Run & Exec
nerdctl run
nerdctl run和docker run类似,可以使用nerdctl run命令运行容器。
[root@one ~]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:latest
docker.io/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:61face6bf030edce7ef6d7dd66fe452298d6f5f7ce032afdd01683ef02b2b841: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:fa5269854a5e615e51a72b17ad3fd1e01268f278a6684c8ed3c5f0cdce3f230b: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 70.5s total: 54.1 M (785.8 KiB/s)
9aafb7429972aadbc7c8ba57ebf933b84a21d2c615c9208f6b9ff9688879c36a
可选参数使用和docker run基本一致,比如-i -t --cpus --memory等选项,可以使用nerdctl run --help查看使用参数:
nerdctl exec
同样可以使用exec执行容器相关命令
[root@one ~]# nerdctl exec -it nginx date
Fri May 6 02:15:29 UTC 2022
3,容器管理
nerdctl ps:(列出容器)
[root@one ~]# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
533b75d795c7 docker.io/library/nginx:latest "/docker-entrypoint.…" 3 minutes ago Up 0.0.0.0:80->80/tcp nginx
同样可以使用-a选项列出所有的容器列表,不过需要注意的是nerdctl ps并没有实现docker ps 下面的--filter、--format、--last、--size等选项
nerdctl inspect :(查看容器详细信息)
[root@one ~]# nerdctl inspect 4255bd2c93b6
[
{
"Id": "4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe",
"Created": "2022-05-06T02:26:10.070899995Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Pid": 31509,
"ExitCode": 0,
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "docker.io/library/nginx:alpine",
"ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/resolv.conf",
"LogPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe-json.log",
"Name": "nginx",
"Driver": "overlayfs",
"Platform": "linux",
"AppArmorProfile": "",
"NetworkSettings": {
"Ports": {
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
}
]
},
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "10.4.0.7",
"IPPrefixLen": 24,
"MacAddress": "46:fd:f7:a8:c7:c2",
"Networks": {
"unknown-eth0": {
"IPAddress": "10.4.0.7",
"IPPrefixLen": 24,
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "46:fd:f7:a8:c7:c2"
}
}
}
}
]
nerdctl logs :(获取容器日志)
[root@one ~]# nerdctl logs nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
同样也支持-f -t -n --since --until 这些选项
nerdctl stop(停止容器)
[root@one ~]# nerdctl stop nginx
nginx
nerdctl rm :(删除容器)
[root@one ~]# nerdctl rm nginx
You cannot remove a running container 4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe. Stop the container before attempting removal or force remove
[root@one ~]# nerdctl rm -f nginx
nginx
要强制删除同样可以使用 -f 或 --force 选项来操作。
4,镜像管理
nerdctl images (镜像列表)
[root@one ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx alpine 5a0df7fb7c8c 5 days ago 16.0 KiB
nginx latest 859ab6768a6f About an hour ago 16.0 KiB
nerdctl pull (拉取镜像)
[root@one ~]# nerdctl pull docker.io/library/busybox:latest
docker.io/library/busybox:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:52f431d980baa76878329b68ddb69cb124c25efa6e206d8b0bd797a828f0528e: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:1a80408de790c0b1075d0a7e23ff7da78b311f85f36ea10098e4a6184c200964: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 7.9 s
nerdctl push (推送镜像)
推送镜像之前也可以使用nerdctl login命令登录到镜像仓库然后再执行push操作
可以使用nerdctl login --username xxx --password xxx进行登录,使用nerdctl logout注销登录
nerdctl tag (镜像标签)
使用tag命令可以给镜像创建一个别名镜像
[root@one ~]# nerdctl tag busybox:latest ccr.ccs.tencentyun.com/piao/busybox:latest
[root@one ~]#
[root@one ~]#
[root@one ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED SIZE
ccr.ccs.tencentyun.com/piao/busybox latest d2b53584f580 5 seconds ago 1.3 MiB
busybox latest d2b53584f580 3 hours ago 1.3 MiB
nginx alpine 5a0df7fb7c8c 5 days ago 16.0 KiB
nginx latest 859ab6768a6f 4 hours ago 16.0 KiB
nerdctl save(导出镜像)
[root@one full]# nerdctl save -o busybox.tag.gz busybox:latest
[root@one full]# ll
total 768
-rw-r--r-- 1 root root 785408 May 6 14:49 busybox.tag.gz
cerdctl rmi (删除镜像)
[root@one full]# nerdctl rmi ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single
Untagged: ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single@sha256:32e2a03e361974976d474a54e5477db24947960cb1f858a45d2c680b090cadd9
Deleted: sha256:eb6b01329ebe73e209e44a616a0e16c2b8e91de6f719df9c35e6cdadadbe5965
nerdctl load (导入镜像)
[root@one full]# nerdctl load -i busybox.tag.gz
unpacking docker.io/library/busybox:latest (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done
unpacking overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8 (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done
5,镜像构建
镜像构建是平时非常重要的一个需求。但是ctr没有构建镜像的命令,现在又不使用docker,但是nerdctl 就提供了nerdctl build这样的镜像构建命令
nerdctl build (Dockerfile构建镜像)
编辑一个Dockerfile
FROM nginx:latest
RUN echo "hello word" >/usr/share/nginx/html/index.html
构建镜像
[root@one full]# nerdctl build -t nginx:nerdctl -f Dockerfile
FATA[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit: exec: "buildctl": executable file not found in $PATH
提示一个错误,需要安装buildctl 并运行buildkiyd,是因为nerdctl build需要依赖buildkitd工具
buildkitd项目也是docker公司开源的一个构建工具包,支持OCI标准的镜像构建,主要包含一下部分:
服务端buildkitd:当前支持runc和containerd作为worker,默认是runc。这里我使用的是containerd
客户端buildctl:负责解析Dockerfile,并向服务端buildkitd发出构建请求
buildkitd是典型的C/S架构,客户端和服务端是可以在不同服务器上,而nerdctl在构建镜像的时候作为buildkitd的客户端,所以需要安装并运行buildkitd
2,安装buildkitd
wget https://github.com/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
wget https://download.fastgit.org/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
tar -zxvf buildkit-v0.9.0.linux-amd64.tar.gz -C /usr/local/containerd/
bin/
bin/buildctl
bin/buildkit-qemu-aarch64
bin/buildkit-qemu-arm
bin/buildkit-qemu-i386
bin/buildkit-qemu-mips64
bin/buildkit-qemu-mips64el
bin/buildkit-qemu-ppc64le
bin/buildkit-qemu-riscv64
bin/buildkit-qemu-s390x
bin/buildkit-runc
bin/buildkitd
ln -s /usr/local/containerd/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/containerd/bin/buildctl /usr/local/bin/buildctl
使用systemd来管理buildkitd
cat /etc/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
启动buildkitd
systemctl daemon-reload
systemctl enable buildkit.service --now
重新构建镜像:
[root@one full]# nerdctl build --no-cache -t nginx:nerdctl -f Dockerfile .
[+] Building 9.2s (6/6) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 111B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/nginx:latest 3.6s
=> [1/2] FROM docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097 2.5s
=> => resolve docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097 0.0s
=> => extracting sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3 1.3s
=> => extracting sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45 1.0s
=> => extracting sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485 0.0s
=> => extracting sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e 0.0s
=> => extracting sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885 0.0s
=> => extracting sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685 0.1s
=> [2/2] RUN echo "hello word" >/usr/share/nginx/html/index.html 0.3s
=> exporting to oci image format 2.4s
=> => exporting layers 0.4s
=> => exporting manifest sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913 0.0s
=> => exporting config sha256:857f00a5a814fe7d57903278cdcd13e0e3febe00967eb0aef83bea4186a92812 0.0s
=> => sending tarball 2.0s
unpacking docker.io/library/nginx:nerdctl (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
unpacking overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913 (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
[root@one full]#
查看构建的镜像
[root@one full]# nerdctl images
WARN[0000] unparsable image name "overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913"
WARN[0000] unparsable image name "overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8"
REPOSITORY TAG IMAGE ID CREATED SIZE
ccr.ccs.tencentyun.com/piao/busybox latest d2b53584f580 2 hours ago 1.3 MiB
busybox latest d2b53584f580 5 hours ago 1.3 MiB
nginx alpine 5a0df7fb7c8c 6 days ago 16.0 KiB
nginx latest 859ab6768a6f 6 hours ago 16.0 KiB
nginx nerdctl 31645ca78f4a 50 seconds ago 24.0 KiB
31645ca78f4a 50 seconds ago 24.0 KiB
d2b53584f580 39 minutes ago 1.3 MiB
已经可以看见构建出来的镜像了,但是出现了WARN[0000] unparsable image name xxxxWarning的信息,在镜像列表里也看见有镜像tag为空的镜像和构建的镜像id一样,在nerdctl 的 github issue 上也有提到这个问题:https://github.com/containerd/nerdctl/issues/177,不过到现在为止还没有 FIX,幸运的是这只是一个⚠️,不会影响我们的使用。
使用构建的镜像启动容器测试
[root@one full]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:nerdctl
6d7656bff4288f8a3d1b7c9f4942ab90fcd421f4d529fc76ac7a53158786a1e3
如果还想在单机环境下使用docker compose,在containerd模式下也可以使用nerdctl 来兼容该功能,
同样我们可以使用nerdctl compose、nerdctl compose up、nerdctl compose logs、nerdctl compose build、nerdctl compose down等命令来管理conpose服务,这样使用containerd,nerdctl结合buildkit等工具就能完全代替docker在构建镜像,,镜像容器方面的管理功能了。
